Hi,
If it helps, could you email the YARA rule and test email offlist and I'll
have a quick look.
I seem to remember hitting that issue.
Cheers,
Steve
Web: sanesecurity.com
Twitter: @sanesecurity
On 27 July 2016 08:35:53 kionez <kio...@anche.no> wrote:
Hi all,
I'm using custom Yara rules to detect many kind of spam directed to my
customers, it's very effective and gives me many ways to intercept
localized messages (i.e.: spam in italian and french).
Lately those spammers are using base64 encoding in Subject: and body
part, making ineffective my rules.
I need to match some headers and the body part, because i don't want to
generate false positives.
I do some tests and i think that clamav is using this yara\pcre engine
only on the "original" message and then in every single message part
(excluding the mail headers), so if I want to run my rules on the
decoded body I have to give up on headers check and vice-versa (due the
base64 encoded body on original message).
Is there a way to decode the original message before scan, or something
which permits to run the yara engine on decoded message?
(I'm also RTFM'ing in amavisd-new, maybe with a custom filter...)
Thanks.
k.
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
